I accidently deleted the keys of my loaded NTUSER.dat file instead of unloading it.
The file is still about 15mb big, even though all the keys are gone.
Is there any way I can recover the keys?
-
2The only way I know is to use the built in ability for Windows to roll back to a recovery point. This is the reason people who don't know what they are doing should not modify the registry by hand.– RamhoundCommented Sep 13, 2012 at 10:30
-
since it was a loaded external registry hive, no recovery is possible, unless it was backed up by you somewhere else.– MoabCommented Sep 13, 2012 at 19:08
Add a comment
|
2 Answers
Perhaps with some registry forensic tool, but AFAICS the chances are rather slim.
answered Sep 13, 2012 at 10:06
Looks like it isn't possible. If anyone has other ideas, feel free to post them!
-
what would be interesting to know, is how windows store key/value pairs in registry. if registry is doing similar to what most file systems do when they delete stuff (removing entries in a TOC instead of removing the values themselves), there is a chance to recover the deleted keys. one possibility is that NTUSER.DAT grows over the time but don't shrink immediately (the extra space would contain deleted values). one way to quick check that is to open NTUSER.DAT in a hex editor and search for a particular string or hex string that was in the deleted keys.– tigrouCommented Sep 15, 2012 at 12:15